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Running security teams can be difficult - frequent changes in priorities, new issues discovered all the time, 
and the fact that any one mistake can lead to data breaches or reputational damage all add up. COVID-19 is 
also in the mix - rather than being able to rely on the traditional network security model, employees are 
spread across a mix of locations including their homes. 


According to retired General Russel Honore, ‘Leadership is working with goals and vision; management is 
working with objectives.’ To achieve your goals around security today, you will have to make some changes to 
how you put together your objectives and how you measure results over time. 


What should our current objective around security be? 


Defining the goals for security involves looking at your organization’s needs, and then creating objectives that 
align with those demands. Translating company objectives into distinct, measurable and achievable tasks for 
security is where things have to change today. With more distributed and remote workforces in place, this 
means re-evaluating objectives and how they are delivered. 


As an example, we can look at IT asset management, or ITAM. ITAM is something that all companies should 
have in place, building an accurate inventory of all IT assets owned or operated by the company, and then 
keeping that list up to date. This list should be a foundation for all decisions around security, but many 
companies either don’t have a list at all or their data is periodically updated at best and therefore inaccurate. 


ITAM has its own international standard, ISO/IEC 19770 that provides best practices on how to ensure good 
asset management. So why do so many companies still find it difficult to achieve this requirement? Without 
this asset list, no company can state for certain that it is secure, so why is it not the first priority for IT 
security and operations teams? 


IT moves quickly. It always has. At the same time, making asset management a business objective has beena 
low priority. It has also been difficult to achieve in the first place, much less to keep up to date. Bring all these 
things together, and you have a task that is low on the priority list, hard to achieve and seen as thankless by 


the rest of the security team, let alone the rest of the business. This means that ITAM often gets seen as “too 
hard, so why bother?” 


Today, those assets can be distributed everywhere, making the job even harder. Therefore, the impact of 
COVID and mass remote working should change our objectives. Getting accurate and timely asset 
management data should be part of this change, particularly with employees working from home using 
corporate assets, or their own devices. What we missed in the past was the automation and scale abilities to 
make IT asset management easier to implement and easier to keep accurate. 


For security teams today, tracking all assets that connect to the network is no longer a valid objective. 
Instead, we have to track all corporate assets used for IT purposes - be they cloud applications, user accounts 
or any company IT systems, wherever they may be. This asset tracking has to be as complete as possible, and 
it has to take place in as near real time as possible too. 


We know our assets ... now what? 


Every month, the likes of Microsoft and Adobe will provide updates for their applications and operating 
systems, while Oracle releases patches on a quarterly basis. Out of band issues for severe issues will also be 
released. Managing these patches is an effective way to prevent the majority of potential attacks. 


Previously, many enterprises would split these tasks across teams - vulnerabilities would be tracked by the IT 
Security department and issues flagged for fixing. The IT Operations team is then responsible for the actual 
deployment of patches and tracking how effective their roll-outs are. Today, this can be more problematic. 
Instead, the patch process has to be unified, so patches can be pushed from the centre out to all users and put 
in place automatically. 


As the volume of patches released continues to go up, the move to remote working changed how these 
patches get applied in practice. Our objectives around patching therefore need updating. The patching 
process should be evaluated as part of the overall approach to vulnerability management. 


In order to put the right objectives in place here, it’s important to prioritize around applications and assets. 
To achieve this, you will have to look at your specific requirements around areas like compliance and 
security, which applications are most important, and where efforts should be concentrated. Setting these 
priorities is essential, as there is no ‘one size fits all’ approach that can suit everyone. 


Once you have put these objectives in place, you can determine your patching priority framework. This brings 
together your asset and vulnerability data, assigns priorities to those issues based on their risk levels, and 
then provides that list to work through. This data can update the business and show how well the 
organization is delivering on its security objectives. 


Planning ahead around security 


The COVID-19 pandemic has changed priorities for CISOs. We face challenges around how we manage our 
objectives over time alongside potential budget cuts. Getting the right goals in place can help us find more 
efficient ways to deliver security, while also finding cost savings through automation and prioritization. 


We can encourage more innovation around what we think of as best practices. These are likely to have 
existed within our teams for years, yet they were developed for a very different working environment and 
business landscape. 


With so much of our operations captured in data, we can look at how our teams perform around the new 
objectives that we set, and then share this data internally. Our operations rely on real time visibility of our 
assets and vulnerabilities, while we can take advantage of our cloud services to automate our operations and 
fix problems faster. While there is a ‘new normal’ in place due to the COVID-19 pandemic, we can carry on 
improving our security performance through better objective setting and clearer adherence to business goals. 


